Questions tagged [apparmor]
AppArmor ("Application Armor") is a mandatory access control (MAC) like security system for Linux. It is designed to work with standard Unix discretionary access control (DAC) permissions while being easy to use and deploy, by allowing an admin to confine only specific applications.
59
questions
12
votes
1
answer
490
views
apparmor: same profile for multiple apps
so I have:
#include <tunables/global>
/usr/bin/python2.7 {
/** mixrw,
deny /** lwk,
}
/usr/lib/jvm/java-6-openjdk/jre/bin/java {
/** mixrw,
deny /** lwk,
}
/var/www/service/...
- 337
11
votes
1
answer
13k
views
mysql init-file config option giving file not found error
I want to have a SQL script run whenever mysql starts but I can't get it working in Ubuntu 11.10.
I added a "init-file" option to the mysql config file:
> sudo emacs -nw /etc/mysql/my.cnf
...
[...
- 4,287
9
votes
1
answer
7k
views
How to disallow the Docker Daemon to mount host's root file system into the container
I have the following Container Setup.
On a bare metal server two Docker Daemons are installed and running.
Main Docker Daemon Runs my application containers exposing 80/443 to the outside world.
...
- 268
5
votes
2
answers
2k
views
Does nginx really need dac_override in its AppArmor policy?
I am building an AppArmor policy for nginx in Ubuntu 14.04 and I cannot make it work without enabling the dac_override capability.
Does nginx really need this enabled or is there some way to work ...
- 221
5
votes
1
answer
5k
views
Best way to set up permissions with nginx + php-fpm on shared hosting?
I'm running a shared hosting server with nginx and php-fpm on Debian.
Everything works fine, php-fpm has separate pools for each users running as separate users and they each have their own socks.
...
- 75
5
votes
1
answer
4k
views
Apparmor denies ntpd access to its own logs
ntpd complains that it cannot access its own logs
# ntpd -qgddd
...
11 Sep 16:23:00 ntpd[7262]: can't open /var/log/ntpstats/peerstats.20130911: Permission denied
...
11 Sep 16:23:01 ntpd[7262]: ...
- 537
5
votes
0
answers
371
views
Apparmor externally included hats not working
Running apache2 on Ubuntu 12.04, using mod-apparmor for change-hat support.
I have installed and verified that change-hat is working but that it is not working for externally included hats like the ...
- 414
4
votes
2
answers
6k
views
MySQL moving ibdata & ib_logfile
I'm trying to move ibdata & ib_logfile on ssd drive. I tried this way, but it don't work:
service mysql stop
cd /var/lib/
cp -ra mysql mysql_backup
cp -a mysql/ibdata1 mysql/ib_logfile* /...
- 187
4
votes
2
answers
3k
views
Reducing the verbosity of auditd, my minimal rules catch stuff they should not (apparmor)
My auditd rules and my needs are fairly simple, I want only to log root actions.
# auditctl -l
-a always,exit -S all -F euid=0 -F perm=x -F key=ROOT_ACTION
That is the only rule, and it works:
type=...
- 265
4
votes
2
answers
4k
views
How do I get the right AppArmor profile for mysql on Ubuntu?
I think I have an old profile (copied below).
I don't know where to look to find the correct profile.
Is there an authoritative source for standard apparmor profiles - or would this be somewhere in ...
- 171
4
votes
1
answer
3k
views
AppArmor - root: "You do not have enough privilege to read the profile set."
I'm trying to use AppArmor on a remote hosted Xen server with a custom built kernel.
AppArmor appears to be running, but not correctly. For example if I run the following command as root:
# aa-...
- 41
4
votes
2
answers
370
views
How can I run a command with a specific AppArmor profile/hat?
I'm hoping there exists something like sudo for AppArmor, so I can run something in a context like:
aado -hat my-hat command arg arg arg
Does this exist?
- 141
4
votes
2
answers
5k
views
New Dovecot install not allowing login, giving permissions error despite saying that permissions "appear ok"
I'm installing dovecot onto a Virtualbox VM running Ubuntu Server 64-bit 14.04 guest. Dovecot itself is being installed into a Docker container (I'm not sure that that's relevant here, but am noting ...
- 151
4
votes
2
answers
2k
views
Strict security and virtual host isolation with Nginx?
I currently have an Apache web server set up under which each virtual host is isolated using HTTPD-ITK and the AppArmor module. Each virtual host's workers are setuid/setgid by the server and are ...
- 157
4
votes
0
answers
1k
views
Moving Rocket.Chat data to different hard drive
I have Rocket.Chat running on Ubuntu 18.04.4 LTS through Snap. I would like to move the data (but not the entire snap) to another hard drive. So far this is what I have tried:
Backup Rocket.Chat
...
- 325
3
votes
2
answers
5k
views
Permission denied error when launching instance ("Could not open backing file")
Working with OpenStack, installed from packages available on Debian testing (buster). When I try to launch an instance, it fails after building with this message in nova-compute.log:
Could not open ...
- 61
3
votes
2
answers
897
views
apparmor not working ubuntu 11.04 insize OpenVZ
so it seems I have everything installed, but apparmor_status gives "apparmor module is not loaded." Also some apparmor scripts check for presence of /sys/module/apparmor and it is not there... Any ...
- 337
3
votes
1
answer
3k
views
Creating a Linux "sandbox" with AppArmor
I'm trying to sandbox a particular Python process, giving it access only to network communications and a select number of files on the file system. I followed the directions on the Ubuntu community ...
- 161
3
votes
1
answer
2k
views
Mounting a network file system inside LXC on Ubuntu 12.10
On an Ubuntu 12.10 server, I created an Ubuntu cloud lxc container. In the /var/lib/lxc/MY_CONTAINER/config file, I uncommented the line:
lxc.aa_profile = unconfined
and started the container.
...
- 185
2
votes
1
answer
1k
views
How to properly secure Unicorn/RoR server on ubuntu? Or, harden RoR application stack?
I have few Unicorn servers running on Ubuntu 12.04 and I am looking to secure them against exploits which give remote shell.
My main concern is, if it makes sense to deploy ModSecurity?
Another ...
- 1,143
2
votes
1
answer
506
views
kvm snapshot-create-as failed
I have Ubuntu server with qemu/kvm.
I'm try to create snapshot (for further backup) using libvirt and get this error:
# virsh snapshot-create-as --domain 56 --name copy_snap --no-metadata --disk-only ...
- 163
2
votes
1
answer
6k
views
mysql wont start after update (seems an apparmor issue)
I just updated mysql-server to 5.5.35-0ubuntu0.12.04.1 and MySQL does not restart anymore. dmesg shows following errors:
[ 832.490460] type=1400 audit(1392612759.575:31): apparmor="STATUS" operation=...
- 23
2
votes
0
answers
318
views
AppArmor: How to apply different profiles for same executable according to UID?
I'd like to jail my (chrooted) php-fpm pool workers using AppArmor. As each pool runs under a separate UID, I'd like to apply different AppArmor profiles for the workers so that a worker process can ...
- 55
2
votes
0
answers
337
views
Apparmor default allow profile
I read this page and confused: http://wiki.apparmor.net/index.php/FAQ#What_is_Default_Deny_.28White_listing.29
I want to create a profile for my command and I want my profile be in "default allow (...
- 21
1
vote
1
answer
2k
views
How do I patch my kernel 3.2 with apparmor kernel patches?
I have Ubuntu 12.04 with kernel 3.2 (64 bits)
I downloaded apparmor-2.8.0.tar.gz at https://launchpad.net/apparmor/2.8/2...r-2.8.0.tar.gz
After I untar, I go into apparmor-2.8.0/kernel-patches/3.2/ ...
- 213
1
vote
1
answer
4k
views
apparmor on fedora / rhel / centos
My application relies heavily on AppArmor for security. I use Ubuntu to host it myself, but I have gotten requests from others that want to host in on a Fedora or RHEL machine.
Now I am aware that ...
- 2,239
1
vote
2
answers
585
views
What is the state of AppArmor network rules in the latest kernel?
I decided to give AppArmor a try and while it works great at restricting file access, signals handling etc., it completely ignores any network rules. It doesn't complain about anything, but it also ...
- 155
1
vote
1
answer
105
views
Processes not in enforce mode although a profile is defined?
I have defined the following profile
#include <tunables/global>
/usr/bin/convert.im6 {
#include <abstractions/base>
/usr/bin/convert.im6 mr,
/** mrwlkix,
set rlimit as <= ...
- 650
1
vote
1
answer
4k
views
need to configure BIND server query logging with versions
I've been trying to get BIND server query logging working, creating 3 versions, max 100mb each. The system is SUSE SLES 11. I have found numerous how to articles on the web but none of them do ...
- 63
1
vote
1
answer
1k
views
Creating a raw InnoDB disk in Ubuntu 10.04 with LVM
I'm trying to create a 2TB raw partition for MySQL/InnoDB to use on one of my LVM's.
I created the raw disk:
Disk /dev/mapper/g0-sql: 2190.4 GB, 2190433320960 bytes
255 heads, 63 sectors/track, ...
1
vote
1
answer
168
views
AppArmor failing to start
I'm trying to start AppArmor in an openSUSE 11.4 system. I run:
rcapparmor start
and I always get this error:
Starting AppArmor Loading AppArmor module failed
Is there any log ...
- 113
1
vote
0
answers
157
views
Apparmor and libvirt - warnings and errors
I have a fresh Debian 12 installed and updated. Along with Cockpit and Cockpit virtual machines.
I am getting the following errors and warning when looking at the log section in Cockpit:
Failed to ...
- 11
1
vote
0
answers
199
views
libvirt qemu AppArmor 9p hard links
I am using libvirt with qemu on a debian host. One virtual machine has a 9p mount point defined:
<filesystem type='mount' accessmode='mapped'>
<source dir='/mnt/pool/share'/>
<...
- 111
1
vote
0
answers
110
views
lxc with apparmor - where should be defined profiles
I created /root/example.sh from here at the host, and with aa-genprof denied it.
# ./example.sh
This is an apparmor example.
./example.sh: line 5: /usr/bin/touch: Permission denied
File created
./...
- 793
1
vote
2
answers
835
views
Dovecot lxc apparmor denied (Buster)
I can't run dovecot in lxc on Buster. I turn off PrivateTmp, but it isn't enough... Still :
[ 4850.883141] audit: type=1400 audit(1563803461.322:34): apparmor="DENIED" operation="mount" info="failed ...
- 793
1
vote
0
answers
321
views
AppArmor denies changes in mysqld.cnf
I've got the following issue with MySQL on an Ubuntu 16.04.3 LTS instance with AppArmor activated.
The issue happens when changing MySQL's bind-address to anything other than 127.0.0.X and restarts ...
- 111
1
vote
0
answers
431
views
apparmor.service fails within container (LXC)
I am trying to enable apparmor within the privileged container but for some reason it fails. I have already enabled the apparmor in the host kernel(4.9) and also in the userspace(apparmor 2.11 version)...
- 111
1
vote
1
answer
213
views
Bind9 and different zone locations
I'm just trying to get a DNS server off the ground and most of the guides I followed online tells me to create zone files in /etc/bind/zones or just /etc/bind/. But I want to use a different path, /...
- 113
1
vote
1
answer
276
views
Ubuntu 10.04 bind9 local zone include files and apparmor
Rather than putting all my zones in one named.conf.local file, I'd like to have them in groups that I can manage as separate files. So, I've tried putting the following into named.conf.local:
...
- 45
0
votes
1
answer
942
views
Do I need to chroot BIND 9 if I'm using AppArmor? [duplicate]
Possible Duplicate:
bind9 in a chroot jail - necessary or not?
I'm redoing my external dns servers and thinking about skipping chroot this time.
And using apparmor or selinux as an alternativen. ...
0
votes
2
answers
1k
views
apparmor blocking mysql start
I'm running ubuntu 12.04 and moved the datadir for my mysql server (retaining same ownerships and permissions) from /var/lib/mysql to /u/apps/mysql in /etc/mysql/my.cnf, then I updated /etc/apparmor.d/...
- 289
0
votes
1
answer
2k
views
Allowing socket access in apparmor
I am using php-fpm running an application which needs to access e.g. /var/run/redis/redis-server.sock
In aa-complain or aa-enforce, logs are captured by the host (not the container) and appear in /...
- 419
0
votes
1
answer
518
views
apparmor doesn't react on my profiling
After instaling debian buster apparmor made my life harder. But I want to familiar with it, so i try to tune profiles (i'm very debianish, so I hope that it is temporary, next upgrade should fix most ...
- 793
0
votes
1
answer
6k
views
Enabling apparmor for Apache2 in Ubuntu 18.04
I’m looking for a way to enable the Apache2 apparmor profile on Ubuntu Server 18.04
According to the documentation it has to be manually activated (opt-in): https://wiki.ubuntu.com/SecurityTeam/...
- 117
0
votes
3
answers
3k
views
BIND9 denying queries from IPs outsite localnet (External IPs) on Ubuntu
BIND9 denying queries from IPs outsite localnet (External IPs) on Ubuntu.
options {
listen-on port 53 { any; };
directory "/var/bind";
allow-query ...
- 918
0
votes
1
answer
126
views
Is there a way to restore iptables rules to the ones set after a fresh installation?
I have a server which is being kept behind a corporate firewall, so the corporate firewall takes care of all firewall issues.
After making a fresh installation of the server, and setting the ...
0
votes
1
answer
736
views
gcc sandboxing tool - AppArmor / CHROOT jail on Ubuntu 12.04
We have a Node application as the front end to a C++ sandboxing tool, which compiles code using gcc and outputs the result to the browser.
e.g.
exec("gcc -o /tmp/test /tmp/test.cpp",
function (...
- 167
0
votes
0
answers
132
views
AppArmor issues with Libvirt
I have a fresh Ubuntu Server 22.04.3 and Debian 12.1.0 installed and updated. Along with Cockpit and Cockpit virtual machines on both tests machines.
I am getting the following errors and warning when ...
- 1
0
votes
0
answers
30
views
AppArmor rule to allow QEMU to create a char device socket in a directory
Given the following command line for QEMU (from this page):
qemu-system-x86_64 -machine accel=kvm -cpu host \
-m $mem -object memory-backend-file,id=mem,size=$mem,mem-path=/dev/hugepages,share=on \...
- 111
0
votes
0
answers
18
views
using kyverno instead of apparmor
we want to use AppArmor for pod and container security. we have Kyverno and it's possible to add some capabilities using that.
I want to know if it is possible to replace AppArmor with Kyverno for our ...
- 13